-= CVE-2006-3747 =-

Vulnerable versions: Apache 1.3.x, where x >= 28
                                 Apache 2.0.x, where 46 <= x < 2.0.59
                                 Apache 2.2.0, 2.2.2
File(s): modules/mappers/mod_rewrite.c
Download from:
  http://archive.apache.org/dist/httpd/httpd-2.2.2.tar.gz

Domain: Web (HTTP) Server

_ Vulnerable Functions and Buffers _

The function escape_absolute_uri() declares an array of strings 
token[] of size 5 and uses an int, c, to index into it. c is protected
by a bounds check, "c < 5"; however, c is incremented in the loop
prior to being used as an array index, so we have an off-by-one error.

_ Decomposed Programs _

apache.h
apache.c

escape_absolute_uri/
  simp1_bad.c
  simp2_bad.c
  simp3_bad.c
  strncmp_bad.c
  full_bad.c

_ Note _

Note that the original example uses apr_pstrdup(), which I elided to
avoid dynamic memory allocation, and strncasecmp(), for which I
substituted strncmp() to avoid penalizing tools for not understanding
ASCII arithmetic.

